Posted
by
samzenpus
on Friday February 28, 2014 @05:23AM
from the wiped-clean dept.

mpicpp writes "It looks thicker than most of the phones you see at Best Buy, but Boeing's first smartphone isn't meant to be used by the average person. The company that's known for its airplanes is joining the smartphone game with the Boeing Black, targeted at people that work in the security and defense industry. One of its security features is self-destructing if it gets into the wrong hands, although not quite in the Mission Impossible sense. According to the company's letter to the FCC, the phone will have screws with a tamper-proof coating, revealing if a person has tried to disassemble it. 'Any attempt to disassemble the device would trigger functions that would delete the data and software contained within the device and make the device inoperable,' writes Bruce Olcott, an attorney for Boeing."

"screws with a tamper-proof coating, revealing if a person has tried to disassemble it"

I'm pretty sure I would notice if someone took a dremel to my phone.

No you wouldn't. You'd just know your phone was gone. And you'd believe that at least your data was safe, because the self-destruct would have been triggered when the thief removed the screws. Except it wasn't.

The people that would use this phone are probably no as worried about someone taking their phone and attempting to access their encrypted data, rather they are worried about compromising their phone and any other systems their phone connects to.

Judging by the target audience my guess is they are afraid of a lot more subtle tampering techniques than using a dremel. I would fully expect that a professional, of the types they are worried about, could disassemble your phone modify it it and reassemble it without your being the wiser. Which is why they want it to be impossible, or at least exceedingly difficult, to hide tampering and want it to self destruct.

The way I'd have the destruct work would be to encrypt everything and keep the key in a special tamper chip that will dump the key if a tamper trips.

Anyways, there are options to screw up your little proposal, such as a sensor inside that looks for disturbance. A light sensor where there should be no light, for example. Put a series of wires along the inside of the case, and if the resistance changes, such as from somebody cutting a wire trying to dremel their way in, trigger the tamper. Another option w

It would probably be difficult to build the "disturbance detecting" chip in a way that couldn't be circumvented but that also wouldn't trip accidentally. Any light detecting mechanism better not get accidentally triggered by electromagnetic rays (like infra-red) that are slightly outside the visible spectrum, but can easily pass through plastic. Also, if it was light sensitive, you could just disassemble the phone in a darkroom.

It would probably be difficult to build the "disturbance detecting" chip in a way that couldn't be circumvented but that also wouldn't trip accidentally.

To be more clear, my 'tamper chip' is merely a storage device. If voltage is lost at pin 1, dump, if voltage present on pin 2, dump. If voltage on pins 3&4 don't match within tolerances, dump. After that, it's all about sensors hooked up. Careful design can minimize 'false alarm' trips, depending on where your relative paranoia lays. I've worked with equipment that have tamper alarms that a strong *bump* can trigger, then the device is unusable until you use a special key on it(and said key only wo

This kind of chip has been designed. I am not quite sure if it has been produced, but if the people I know in the industry have a design sitting on the drawing board that they feel can be sold with a complete CA authority in it without fear of any tampering, then it is possible.There are lots of different anti-tamper vectors you need to cover, but the truth is the tech exists to make it a really hard challenge for anyone, even a big agency. Of course, any backdooring in the software or hardware renders thes

Not really, unless you're trying to do it with traditional tools. A little pressure and a tool that conforms perfectly to the head will usually do the job, especially if enhanced with a little adhesive. And there's no shortage of low-temperature metals from which to make a perfectly conforming tool in seconds. If you're trying to prevent the phone from being tampered with by espionage professionals you've got to assume their tool kit is a lot more specialized tha

There is always a way. Consider dumping the phone into liquid helium, before applying the Dremel. Batteries don't work so well at cold temperatures. Software, including self-erasing software, can't run without a power source....

Not hardly - it may instant-freeze the case, but there's an insulating air-gap between the case and electronics, enough to buy you the fraction of a second needed to securely wipe the encryption key. I wouldn't even bet on liquid helium bringing the temperature down fast enough.

True, but even a superfluid doesn't flow at infinite speed. Especially when violently boiling away from a scathingly-hot room temperature device. You won't get superfluid penetrating the case until the case has already cooled down below the boiling point. Sort of the reverse of the old boiling water in a paper bag trick.

Oh, and you generally don't do a tamper 'proof' coating on screws, you do a 'tamper-evident' coating.

Want your own tamper evident coating? Buy a bottle of the cheapest, cheesiest glitter nail polish you can find. Coat the screws with a layer. Take a high resolution picture of each screw. Suspect tampering? compare the current coating with the picture.

As for deleting the data off the device, I'd probably simply encrypt everything on the device, with the key stored in a specific chip designed to dump said key if anything triggers it. No Key = No Data.

neither resistance nor prevention is the goal. The goal is to prevent un-noticeable tampering.
If you get your phone back from the lost and found at the local Chinese restaurant, you want to make sure they didn't copy the sim card so-to-speak.
This phone is designed for the sorts of people who build and defend against things like Stuxnet.

As for deleting the data off the device, I'd probably simply encrypt everything on the device, with the key stored in a specific chip designed to dump said key if anything triggers it. No Key = No Data.

This technique is incredibly common - the iPhone has done it ever since the 3GS 5 years ago.

I would think the Boeing one goes one further and rather than storing the key encrypted with a per-ASIC key in flash, the key is in SRAM that's wiped when battery power is cut or other thing.

As we're going along here, we seem to be getting tighter security for the cost of a steadily increasing chance of one of these customers accidentally destroying all their data.

I was under the impression that it had become straightforward to plan for destruction of an Internet-connected device by making automatic backups that are encrypted while at rest and while in motion. Encryption key dumped? Replace the device, associate the new encryption key, and restore.

When I worked in the ATM industry we already had that feature built into the keypad (EPP). If you tried to extract the keys any number of ways (freeze spray, remove back cover, cut front cover, etc.) it would dump the memory and leave the attacker with nothing. All you have to do is contact one of the companies that built those EPP's and they can guide you into a LOW COST hardware method of dumping everything. You don't need to go with a fancy "custom coating" that might fail or have alternative issues. I would not buy this phone as it is over-priced, and I can do the same thing with a common android smartphone and a little software and hardware tweaking. Epoxy is your friend for keeping people out of things they don't need to see, as is encryption with delete upon failure to decrypt. What a joke, but they will sell a bunch of them to Gov. and "special" people.

Don't depend on that when you have really expensive secrets, and that is what this phone is aimed at. With an ATM, I would expect the maximum loss if somebody attacks this successfully is around 10 Million USD/EUR. (I think the card-cloners that recently went around got 3.5 Million only.) Also remember that an ATM keypad affords a steel front-plate, excellent RF shielding, no access from behind and the ATM itself comes with a number of tamper detectors and usually has a direct line to the police or some sec

But the ATM doesn't contain much cash, and has serious safeguards in place against theft. The bank accounts of the people using it on the other hand...

Hell, one time I paid down my brother's credit card debt from my bank account - it was actually rather scary. They transferred thousands of dollars out of my account given nothing more than his word, the account number on the bottom of every one of my checks, and a validation call to a prepaid cell phone number he provided.

Maybe they're not all as loaded, but a friend worked at a bank (basically drive up, park and walk access, albeit on Miami Beach) and on a Friday night they'd stock their ATM with $50K, and half of it would be legally withdrawn by Saturday morning.

If your brother had defrauded you, you could go after him in court and make a bunch of lawyers rich while you attempt to recover a piece of your money.

Hatred of lawyers is probably what keeps most people honest, whether they know it or not.

They are basically claiming they have a HSM here. Now, HSMs are as expensive as they are for a reason (50'000 USD/EUR is quite standard). One is that attackers have to pay a lot to get their hands on one for analysis. Another is to have several layers of protection, several independent power sources, solid steel tamper barriers, etc. Still, they are designed to be secure when in a 19" rack in a secured data-center and when it becomes obvious fast that one has been removed.

Not sure where to go with this one. Is the joke supposed to be "So, Boeing has teamed up with Sony to use their batteries in a new smart phone..." or "Leveraging the battery technology used in the 787 Dreamliner..."

The only difference seems to be that with this phone, if an attacker tries to get at the data you end up with a non-working phone and an attacker without data, while with an iPhone you end up with a working phone and an attacker without data. OK, this phone has also some more security claims, but of course they are not proven.

You do realize your Macbook is not an iPhone and does not run anything approaching the same operating system?

The operating system is actually more than 85% identical:-) Still, I don't know how turning on a non-existing encryption option on iOS (it's not an option, you can't turn it off) would mess up his MacBook, and how messing up his MacBook would require him to re-install the OS on his iPhone.

The thing I absolutely _LOVE_ about the Apple ecosystem is the absolute certainty of the people who just got one that they know _everything_ there ever was to know about them, back to the original Apple I to hear some talk about it.

Case in point, I own an iPad 1, actually won it in a contest, but, whatever, we've had it since about 3 months after the iPad first came out. A few months ago, the USB-30pin cable that came with it died - bad strain relief, pretty typical of Apple products of the era, including

Put an iPhone in a faraday cage and the data won't be deleted. No way for the signal from Steven in the sky to tell it to delete the data. Disassemble the device, hot air the flash chips off the phone to you own custom boards... boom, full access to all the data. (Actually, not entirely true for smarter users with encrypted data, but close enough for this discussion, since all 3 of those iPhone users who encrypt their data don't have anything that matters anyway.)

That's the point - you don't have full access to the data. You have no access to the data. You have access to an encrypted file system, where every single file is encrypted with a different random 256 bit key.

The biggest issue with this phone is not weather it can be tampered with without the owners knowledge, but that anyone that has one of these phones will be instantly noticeable as a high value target. The only people that this device makes sense for are public figures, senators, congressmen, CEO's of large defense contractors,... Everyone else will be better protected by following simple security precautions and not carrying around a large flag that says I'm worth the effort.

This sounds not like it will protect your data but will keep crypto researchers from finding that the NSA has put a back door into the product. Quite simply if it comes from the US, Canada, Australia, or the UK the product is not to be trusted. Which is sad as I am a Canadian and would love to make crypto products but at this point wouldn't trust even a company that had US citizens working for it let along based in the US.

This might be the most solid argument against these spy agencies, whatever "attacks"

At FIPS-140 Level 4, the crypto keys are stored on a unit that actively monitors for attack by environmental, electromagnetic, and physical methods.The physical is usually handled by a mesh of gridwires over the die.

The problem, of course, is Boeing is in bed with the government for Billions (Trillions) of dollars worth of military hardware, so don't think they'd sell you an Android phone before having a friendly chat with their friends at [A-Z]{3}.

[Disclaimer: I work for The Boeing Company, buy my comments are my own and do not reflect the position of the company.]

Let me state that this is probably a very good idea, even through this is the first that I've heard about the device. Often the biggest problem when dealing with smartphones is protecting sensitive data, be it emails or documents being stored on the device. Commercial solutions are often lacking in security, which is why Blackberry still exists as a company. Their offerings are much

Pure FUD. Go to the Apple website, do a bit of searching around, until you find the document describing the iPhone security features. At this point in time, there is no police force that can read email from a confiscated iPhone unless the user unlocks it.

[Disclaimer: I do not work for Apple]
Pure FUD. Go to the Apple website, do a bit of searching around, until you find the document describing the iPhone security features. At this point in time, there is no police force that can read email from a confiscated iPhone unless the user unlocks it.

Care to try again? From Forbes:

But even when those login safeguards are set up in other cases, law enforcement have still often been able to use tools to bypass or brute-force a phone’s security measures. Google in some cases helps law enforcement to get past Android phones’ lockscreens, and if law enforcement can’t crack a seized iPhone, officers will in some cases mail the phone to Apple, who extract the data and return it stored on a DVD along with the locked phone.

The simplest way to self-destruct data on the device is to simply encrypt it using a large key stored in CMOS embedded in the SoC's hardware crypto-engine and clear it (either with an actual reset signal or simply killing power) if tampering is detected to instantaneously render all stored data useless. The next time the boot-loader runs if the device is ever powered up again before being restored to factory specs, it can generate a new encryption key and start erasing storage to make the data completely un

That would not necessarily work: it would definitely fry the IO front-end but most of the NVRAM matrix would likely remain intact and recoverable by stripping the top encapsulation and top metal layers then scanning the NVRAM cells with a magnetic force microscope.

Also, if the devices self-destructs through high voltage, someone who has already dissected one of these phones before would know where the high-voltage components are, how they operate, how they are triggered and would likely be able to come up with a way to prevent the high voltage pulse from reaching the NVRAM chips such as using a pneumatic framing nailer to destroy/short the high voltage circuitry faster than it can be triggered by tamper sensors.

So, even with physical destruction built-in, you would still need strong device-level encryption as a fail-safe.

The most beautiful thing about having a decryption key embedded in a secure microcontroller managing tamper-proofing sensors (which is itself embedded in the SoC running the rest of the device's functions) is that disabling tamper-proofing is impossible to do without disabling the secure micro-controller and disabling it either physically or by cutting power kills the decryption key just like tripping tamper-proofing sensors would.

No, it is meant to stop sophisticated attackers. It will be interesting to see what happens the first time the police decide they need to access one of these and request that Boeing help them. If designed correctly there should be nothing Boeing could do to help them, but considering all the fat defence contracts and government money that goes their way I doubt they would have neglected to put an NSA approved back-door in.

All you'd need to do is build it on a flammable PCB with a nichrome-wire-style electrical ignition element embedded within it, and discharge the (I would assume normally inaccessible without tripping the destruct) battery through it. The destruct could even have it's own built-in and seperate battery

All you'd need to do is build it on a flammable PCB with a nichrome-wire-style electrical ignition element embedded within it, and discharge the (I would assume normally inaccessible without tripping the destruct) battery through it. The destruct could even have it's own built-in and seperate battery

Well, that'd slow thing down a little, but a battery-based self destruct could be circumvented by simply waiting a few days/weeks while the phone struggles to find a decent signal. Less time than the Apple law enforcement request backlog IIRC.

There are many ways to make the memory inside it proof against intrusion.I know of a company with a chip design that includes a mesh and a vacuum compartment. The mesh can detect electrical, thermal, or physical intrusions. The vacuum compartment, if breached, is another way of telling someone is trying to access the physical memory substrate. There's also some other detection mechanisms as well. All of them zeroize the memory well enough to prevent anyone getting anything useful off of it.

No, it is meant to stop sophisticated attackers. It will be interesting to see what happens the first time the police decide they need to access one of these and request that Boeing help them. If designed correctly there should be nothing Boeing could do to help them, but considering all the fat defence contracts and government money that goes their way I doubt they would have neglected to put an NSA approved back-door in.

In the case of the iPhone, there is no back door, but there is a front door. The only way to get into an iPhone is to either crack a 256 bit key (per file), or to enter the passcode. Only software code-signed by Apple can unlock an iPhone. In normal use, that's the software that runs when the user types in his passcode. Apple and Apple only can replace this software. And then they can try to unlock the phone at the amazing rate of ten attempts per second (the passcode hash function is calibrated to use one

Why do you suspect only apple has this software and can deploy it?The latest exploit *we know of* made apple's update vulnerable to a man-in-the-middle attack. If that's the case, then any OS module could be overwritten to introduce a backdoor, apps could be introduced which had backdoors, etc.

Beyond that, the 256 bit key is only as good as the RNG that cranked it out. That might or might not be a bulletproof one depending on where they got their key generation algorithm and implementation and what sources

Given what TFA had to say about who could actually get their hands on one of these phones, I think you're right. I've been involved in anti-tamper design and implementation for DoD projects, and the level of paranoia and secrecy associated with the whole subject is extremely high. I'm going to guess that anything that has been publicly "revealed" by Boeing regarding the anti-tamper implementation is probably untrue, or at least misleading. Anti-tamper is like Fight Club; you're not supposed to talk about

Governments aren't the only ones who want security. I bet you the anti-corporate espionage market is far, far larger, especially for something like this that only costs pocket change. Lot's of people would like to keep their phones safe from discrete data harvesting while they're enjoying the jacuzzi.

You think Apple's got folks on an upgrade treadmill? Imagine the pressure to upgrade "the most secure phone in the world" every time a new bypass technique is developed. Forget OS upgrades, you need a whole

And if it actually does what Boeing claims, you aren't going to find any articles telling you how it works; that, in and of itself is part of its security.

In the real world, people take advantage of security through obscurity. That doesn't mean they rely on it, but theres nothing wrong with throwing something in front of the attacker to slow them down even if its only temporary as long as thats not your only attempt at security.

Actually, I suspect most of the folks who end up buying the phone will be buying them specifically to figure out how to break them.
It's a brilliant marketing scheme. Justin Bieber and Kim Jong Un will each buy one for security reasons and the other 70,000 Boeing ends up selling will all go to security researchers in China, Russia and Europe.

The $629 version is not the Boeing Black at all, but the "similarly named Blackphone." "That high-security phone was revealed earlier this week at the Mobile World Congress in Barcelona, Spain. It was developed by a team of cryptographers and is currently available for preorder at $629."

It's less depressing if you think about history in cycles. Old ossified institutions get replaced by young upstarts, who promptly begin ossifying themselves but make some progress before completely stagnating and being replaced in turn. A similar phenomena happens with government and the battle between democracy and aristocracy - the entire history of civilization can be characterized as a long slow slide toward aristocracy, punctuated by occasional leaps towards democracy. Despite the slope being almost

Although I generally agree with your thesis, I will point out those 'leaps' can be painful. The longer we can fight the slide towards statist or authoritarian rule, the longer we can make at least some progress before things get bad enough to need a bloody revolt.So, keeping the slope of the decline as close to flat as we can by fighting attempts to hobble democracy still matters.

I do find it interesting that if you read the classics, you'll see Greeks and Romans arguing many of the issues of governance we

I don't think that the self-destruct feature is even supposed to be completely invulnerable. It's a nice addition to the bag of various security features. Some uninformed attacker might not know that this phone has such anti-tamper measures, leading to this protection working as intended. Or some other attacker might be aware of the feature, but it is enough for him to not bother with sophisticated tools to open the phone. On the other hand, using specialized tools to crack it open will also increase the ti